Solved: Hiis that the access-list 3

anirudh12b9 · ‎08-29-2015

Hi All,

I am unable to telnet my access switch which is in network.With ip 10.120.232.12 actually i am able to login through ssh but am unable to login through the telnet.

show run interface vlan 10
Building configuration...

Current configuration : 242 bytes
!
interface Vlan10
description *******MANAGEMENT VLAN*******
ip address 10.120.232.2 255.255.255.224
no ip redirects
no ip unreachables

Above is the my management vlan which was created in my coreswitch am getting these kind of error while logging.After configuring the telnet as given below still am getting the below error.

line vty 0 4
session-timeout 5
access-class 3 in
exec-timeout 5 0
password 7 104D000A0618
transport input telnet ssh
transport output all

Error message:

telnet 10.120.232.12
Trying 10.120.232.12 ...
% Connection refused by remote host

Please help me in this issue.Thanks in advance.

Mark Malone · ‎08-31-2015

Hi you have an acl on the vty port are you coming from a permitted source of this acl otherwise you will be blocked , you need to make sure your ip range/address is allowed and included in this acl . acl may just be set to eq 22 check that eq 23 is also allowed for telnet

line vty 0 4
session-timeout 5
access-class 3 in

View solution in original post

Mark Malone · ‎08-31-2015

Hi you have an acl on the vty port are you coming from a permitted source of this acl otherwise you will be blocked , you need to make sure your ip range/address is allowed and included in this acl . acl may just be set to eq 22 check that eq 23 is also allowed for telnet

line vty 0 4
session-timeout 5
access-class 3 in

anirudh12b9 · ‎09-01-2015

Hi Mark,

Thanks for the reply below are the permit statements allowed it access-list 3.Please guide how to check the what rules written in access-class 3.And able to telnet the below ip 10.136.169.110,10.120.232.25,202.9.192.64and202.9.192.96.

access-list 3 permit 10.136.169.110
access-list 3 permit 10.120.232.25
access-list 3 permit 202.9.192.64 0.0.0.31
access-list 3 permit 202.9.192.96 0.0.0.31

Mark Malone · ‎09-01-2015

Hi

is that the access-list 3 off the router your trying to telnet too 10.120.232.12 ? You would need to provide that ACL as we need to see whats allowed inbound to the router

By the way its good telnet is not working you should only use ssh when possible as telnet can be sniffed on the wire for passwords , so unless there's a specific reason you want it on i would leave it off as its a security hole

anirudh12b9 · ‎09-01-2015

Hi,

As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.

As you suggested ssh is a good practice thanks for that .But how can i check what rules are written in access-class 3.

If am using the show access-lists 3
Standard IP access list 3
60 permit 10.136.169.110 (839 matches)
70 permit 10.115.50.30 (1751 matches)
80 permit 10.201.51.152
50 permit 10.120.232.25 (226 matches)
30 permit 202.9.192.64, wildcard bits 0.0.0.31 (1606 matches)
40 permit 202.9.192.96, wildcard bits 0.0.0.31 (60 matches)

So please suggest me how to check what has been blocked in purticular ACL.

paul driver · ‎09-01-2015

Hello

Hello I dont see any ace entry in this acl denyig port 23 ( telnet)

Is it possible you have (control plane policing) CPP enabled?

sh access-lists
sh control-plane feature

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

anirudh12b9 · ‎09-01-2015

Hi,

unable to execute the below command.I am using the command in cisco 6500 swithc

FYI

show control-plane feature
^
% Invalid input detected at '^' marker.

paul driver · ‎09-01-2015

Hello

Stratch that just noticed this query is regards a L3 switch - its not applicable

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

anirudh12b9 · ‎09-01-2015

Hi,

As all the ACL's are created in our CORE SWITCH (L3) and we are using them in L2 switch.

Mark Malone · ‎09-02-2015

Hi the acls maybe created in the core switch but even a layer 2 switch would have an acl under its vty port to prevent unwanted access if its manageable remotely ,so you need to get onto the switch that your trying to access check the vty port, see what access-class is applied to it and then post the access-list from that specific switch thats tied to the port

As an example this is a layer 2 switch only trunked in my network below , has 1 mgmt ip for access but also has and acl applied at the vty port for control of who can access it,i have cut it down as its very long

If you can post your access-list off the specific switch we can look at it but as Paul said there is no telnet blocked in the acl provided above , your allowing each of those ips and there will be an implicit deny blocking everything else , your not using an extended acl to allow/deny tcp/udp etc

sw-AC1#sh run | b line vty
line vty 0 4
access-class 124 in
exec-timeout 30 0
transport input ssh

sw-AC1#sh access-lists 124
Extended IP access list 124
    10 permit tcp host 172.19.154.53 any eq 22 (1626 matches)
    20 permit tcp host 172.19.246.240 any eq 22 (58 matches)
    30 permit tcp host 172.19.249.77 any eq 22 (20 matches)
    40 permit tcp host 172.19.152.223 any eq 22
    230 deny ip any any log (22 matches)

Telnet problem to access switch